[Emerging-Sigs] FP 2406011

Lay, James james.lay at wincofoods.com
Wed Oct 20 13:15:13 EDT 2010


Rule hit:

Oct 20 11:11:34 10.21.10.2 snort[14899]: [1:2406011:193] ET RBN Known
Russian Business Network IP UDP (6) [Classification: Misc Attack]
[Priority: 2] {UDP} 192.168.0.66:427 -> 123.123.123.123:427

 

Rule:

alert udp
[122.228.201.68,122.228.201.69,122.228.201.70,122.228.201.71,122.228.201
.72,122.228.201.73,122.228.201.74,122.228.201.75,122.70.145.130,122.70.1
45.135,122.70.145.140,122.70.145.146,122.70.145.148,122.70.145.184,123.1
23.123.123,123.172.6.202,123.201.38.247,123.236.191.162,123.30.179.163,1
24.109.3.135] any <> $HOME_NET any (msg:"ET RBN Known Russian Business
Network IP UDP (6)";
reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwo
rk; threshold: type limit, track by_src, seconds 60, count 1;
classtype:misc-attack; sid:2406011; rev:193;)

 

Packet dump:

11:11:31.480668 IP 192.168.0.66.427 > 123.123.123.123.427: UDP, length
44

        0x0000:  4500 0048 4d25 0000 8011 359f c0a8 0042
E..HM%....5....B

        0x0010:  7b7b 7b7b 01ab 01ab 0034 50d2 0106 002c
{{{{.....4P....,

        0x0020:  0000 656e 0003 a652 0000 0018 7365 7276
..en...R....serv

        0x0030:  6963 653a 782d 6870 6e70 2d64 6973 636f
ice:x-hpnp-disco

        0x0040:  7665 723a 0000 0000                      ver:....

 

James Lay

IT Security Analyst

WinCo Foods

208-672-2014 Office

208-559-1855 Cell

650 N Armstrong Pl.

Boise, Idaho 83704

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101020/e8a3e7af/attachment.html


More information about the Emerging-sigs mailing list